There is a lot of talk these days about Google’s decision to accelerate the deprecation of SHA-1, and IBM Domino’s lack of support for SHA-2 . Right off lets get this straight IBM absolutely should have plans to add SHA-2 support in Domino and an implementation date should be communicated ASAP. At the same time the pressure should really be on Google to back down from what is an arbitrary deadline they announced out of the blue, and to support the previously announced 2017 date for the deprecation of SHA-1.
While it is easy to blame IBM here (and again IBM needs to communicate a date they will support SHA-2 in Domino) the immediate deprecation by Google is an arbitrary move that does not have a lot of support.
- Microsoft previously announced their plans to deprecate SHA-1 in 2017
- Currently 92% of certificates on the Internet are SHA-1 signed
- Google then decided to begin deprecating SHA-1 in November of this year
- SHA-1 has not been compromised or hacked
- Google as an Intermediate CA is issuing them with SHA-1 (but their deprecation policy exempts their own certificates)
Here is a statement from the CA Security Council
Although the CA Security Council (CASC), comprised of the seven largest Certificate Authorities, supports migration to SHA-2, members are concerned about the impact on website users and administrators alike. Considering many users may still use software lacking SHA-2 support, primarily Windows XP SP2, and the still unknown impact on a complete SHA-1 migration, this 12 week timeline is aggressive. In addition, many devices still lack SHA-2 support, making necessary possibly unplanned and expensive upgrades.
With fall shopping season nearly here, this policy may be particularly concerning for small internet stores, which could be impacted just before the holiday rush. Because many large sites have lockdown periods leading up to the end of the year, companies that have not transitioned may find themselves restricted from making the move until January, or beyond, due to lack of SHA-2 support. Although a migration to SHA-2 is necessary as computing power increases, because of the significant impact in migration and the lack of a practical attack until 2018, the CASC members recommends thetimelines announced by Microsoft in November 2013, which deprecate SHA-1 in code signing certificates by January 1, 2016 and in SSL certificates by January 1, 2017.
If you want a clear explanation on all this, listen to what Steve Gibson has to say about it on Security Now (If it does not begin there automatically pick up the podcast at 48:37 for the SHA-1 discussion)